This year the internal audit agenda for the financial services industry is more than a little crowded. Global macroeconomic uncertainty, rock-bottom interest rates, soaring regulatory expectations, cybersecurity threats and attacks, legacy information technology (IT) systems, fintech, blockchain and other disruptive innovations — and that’s before we even get to fulfilling the core mission of delivering effective assurance.
The message of the 2015 Global Internal Audit Common Body of Knowledge (CBOK) Stakeholder Study is clear: Assurance alone is no longer enough. Assurance remains at the core of the internal audit function — value-added work for stakeholders cannot detract from that. But survey respondents, which included executives and board members who work closely with internal auditors, indicated they want more. Specifically:
- Consulting on business process improvements
- Alerting operational management to emerging issues and changing regulatory and risk scenarios
- Facilitating and monitoring effective risk management practices by operational management
- Detecting shifts in the organization’s implicit risk appetite
- Identifying known and emerging risk areas
More than 70 percent of board members and executives believe internal audit should take a more active role in assessing and evaluating strategic risks. This is a mandate for chief audit executives and internal auditors to think more strategically when evaluating risks and ensuring their audit plans are sufficiently risk based.
Implicit in all of these value-added functions is the importance of maintaining objectivity. Such consulting approaches a fine line that regulators tend to review closely. And, of course, all of that is in addition to assurance, which remains internal audit’s primary objective. The good news is that respondents gave internal audit high marks for assurance activities, and especially for establishing audit plans to assess areas or topics that are significant and highly relevant to the organization and consistent with organizational goals. There were five assurance areas, however, that respondents agreed could use improvement, including:
- Effectively validating that executive management promotes appropriate ethics and values within the organization
- Communicating which risks or activities of the organization are not covered by the internal audit plan
- Assessing the adequacy and effectiveness of governance
- Demonstrating sufficient knowledge of key IT risks and controls in performing audit engagements, and
- Demonstrating sufficient knowledge of fraud and corruption to identify red flags indicating possible fraud or corruption when planning and conducting audit engagements
Looking ahead, executives and directors said they are increasingly turning to internal audit for advice on business process improvements and see opportunities for auditors to add even more value through data analysis and so-called “soft” skills, including change management and facilitating interdepartmental communication.
For more detailed analysis and survey results, you can download the report here.